Casey Marshall wrote:

I've been hacking together a way to use rsync with OpenSSL, and have
attached my current patch against a recent CVS tree. The details of
this implementation are:

  1. The SSL code is added as a "layer" that is forked into its own
     process.

  2. An SSL connection is established by the client issuing the
     command:

       #starttls

     And, if the daemon allows SSL, it replies with

       @RSYNCD: starttls

     At which point both sides begin negotiating the SSL connection.
     Servers that can't or don't want to use SSL just treat it as a
     normal unknown command.

  3. The SSL code is meant to be unobtrusive, and when this patch is
     applied the program may still be built with no SSL code.

  4. There are a number of details not implemented.

All warnings apply; I don't do C programming all that often, so I
can't say if I've left any cleanup/compatibility errors in the code.

To use this patch, run these commands for a successful build:

    patch -p1 <patches/openssl-support.diff
    ./prepare-source
    ./configure
    make

based-on: 1ddcdaf3f6808ba53aef9e19f630a18808de22ac
diff --git a/Makefile.in b/Makefile.in
--- a/Makefile.in
+++ b/Makefile.in
@@ -40,7 +40,7 @@ OBJS3=progress.o pipe.o
 DAEMON_OBJ = params.o loadparm.o clientserver.o access.o connection.o authenticate.o
 popt_OBJS=popt/findme.o  popt/popt.o  popt/poptconfig.o \
 	popt/popthelp.o popt/poptparse.o
-OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@
+OBJS=$(OBJS1) $(OBJS2) $(OBJS3) $(DAEMON_OBJ) $(LIBOBJ) $(ZLIBOBJ) @BUILD_POPT@ @SSL_OBJS@
 
 TLS_OBJ = tls.o syscall.o lib/compat.o lib/snprintf.o lib/permstring.o lib/sysxattrs.o @BUILD_POPT@
 
diff --git a/cleanup.c b/cleanup.c
--- a/cleanup.c
+++ b/cleanup.c
@@ -26,6 +26,9 @@ extern int am_server;
 extern int am_daemon;
 extern int am_receiver;
 extern int io_error;
+#ifdef HAVE_OPENSSL
+extern int use_ssl;
+#endif
 extern int keep_partial;
 extern int got_xfer_error;
 extern char *partial_dir;
@@ -129,6 +132,14 @@ NORETURN void _exit_cleanup(int code, const char *file, int line)
 				who_am_i(), code, file, line);
 		}
 
+#ifdef HAVE_OPENSSL
+		/* FALLTHROUGH */
+#include "case_N.h"
+
+		if (use_ssl)
+			end_tls();
+#endif
+
 		/* FALLTHROUGH */
 #include "case_N.h"
 		switch_step++;
diff --git a/clientserver.c b/clientserver.c
--- a/clientserver.c
+++ b/clientserver.c
@@ -31,6 +31,9 @@ extern int am_sender;
 extern int am_server;
 extern int am_daemon;
 extern int am_root;
+#ifdef HAVE_OPENSSL
+extern int use_ssl;
+#endif
 extern int rsync_port;
 extern int protect_args;
 extern int ignore_errors;
@@ -126,8 +129,18 @@ int start_socket_client(char *host, int remote_argc, char *remote_argv[],
 #endif
 
 	ret = start_inband_exchange(fd, fd, user, remote_argc, remote_argv);
+	if (ret)
+		return ret;
+
+#ifdef HAVE_OPENSSL
+	if (use_ssl) {
+		int f_in = get_tls_rfd();
+		int f_out = get_tls_wfd();
+		return client_run(f_in, f_out, -1, argc, argv);
+	}
+#endif
 
-	return ret ? ret : client_run(fd, fd, -1, argc, argv);
+	return client_run(fd, fd, -1, argc, argv);
 }
 
 static int exchange_protocols(int f_in, int f_out, char *buf, size_t bufsiz, int am_client)
@@ -273,6 +286,32 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
 	if (verbose > 1)
 		print_child_argv("sending daemon args:", sargs);
 
+#ifdef HAVE_OPENSSL
+	if (use_ssl) {
+		io_printf(f_out, "#starttls\n");
+		while (1) {
+			if (!read_line_old(f_in, line, sizeof line)) {
+				rprintf(FERROR, "rsync: did not receive reply to #starttls\n");
+				return -1;
+			}
+			if (strncmp(line, "@ERROR", 6) == 0) {
+				rprintf(FERROR, "%s\n", line);
+				return -1;
+			}
+			if (strcmp(line, "@RSYNCD: starttls") == 0)
+				break;
+			rprintf(FINFO, "%s\n", line);
+		}
+		if (start_tls(f_in, f_out)) {
+			rprintf(FERROR, "rsync: error during SSL handshake: %s\n",
+				get_ssl_error());
+			return -1;
+		}
+		f_in = get_tls_rfd();
+		f_out = get_tls_wfd();
+	}
+#endif
+
 	io_printf(f_out, "%.*s\n", modlen, modname);
 
 	/* Old servers may just drop the connection here,
@@ -298,6 +337,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
 			 * server to terminate the listing of modules.
 			 * We don't want to go on and transfer
 			 * anything; just exit. */
+#ifdef HAVE_OPENSSL
+			if (use_ssl)
+				end_tls();
+#endif
 			exit(0);
 		}
 
@@ -305,6 +348,10 @@ int start_inband_exchange(int f_in, int f_out, const char *user, int argc, char
 			rprintf(FERROR, "%s\n", line);
 			/* This is always fatal; the server will now
 			 * close the socket. */
+#ifdef HAVE_OPENSSL
+			if (use_ssl)
+				end_tls();
+#endif
 			return -1;
 		}
 
@@ -598,10 +645,17 @@ static int rsync_module(int f_in, int f_out, int i, char *addr, char *host)
 				return -1;
 			}
 			if (pid) {
+				close(f_in);
+				if (f_out != f_in)
+					close(f_out);
 				if (asprintf(&p, "RSYNC_PID=%ld", (long)pid) > 0)
 					putenv(p);
 				if (wait_process(pid, &status, 0) < 0)
 					status = -1;
+#ifdef HAVE_OPENSSL
+				if (use_ssl)
+					end_tls();
+#endif
 				if (asprintf(&p, "RSYNC_RAW_STATUS=%d", status) > 0)
 					putenv(p);
 				if (WIFEXITED(status))
@@ -944,6 +998,9 @@ int start_daemon(int f_in, int f_out)
 	if (exchange_protocols(f_in, f_out, line, sizeof line, 0) < 0)
 		return -1;
 
+#ifdef HAVE_OPENSSL
+  retry:
+#endif
 	line[0] = 0;
 	if (!read_line_old(f_in, line, sizeof line))
 		return -1;
@@ -955,6 +1012,20 @@ int start_daemon(int f_in, int f_out)
 		return -1;
 	}
 
+#ifdef HAVE_OPENSSL
+	if (use_ssl && strcmp(line, "#starttls") == 0) {
+		io_printf(f_out, "@RSYNCD: starttls\n");
+		if (start_tls(f_in, f_out)) {
+			rprintf(FLOG, "SSL connection failed: %s\n",
+				get_ssl_error());
+			return -1;
+		}
+		f_in = get_tls_rfd();
+		f_out = get_tls_wfd();
+		goto retry;
+	}
+#endif
+
 	if (*line == '#') {
 		/* it's some sort of command that I don't understand */
 		io_printf(f_out, "@ERROR: Unknown command '%s'\n", line);
diff --git a/configure.ac b/configure.ac
--- a/configure.ac
+++ b/configure.ac
@@ -312,6 +312,25 @@ if test x"$enable_locale" != x"no"; then
 	AC_DEFINE(CONFIG_LOCALE)
 fi
 
+AC_ARG_ENABLE(openssl,
+              AC_HELP_STRING([--enable-openssl], [compile SSL support with OpenSSL.]))
+
+if test "x$enable_openssl" != xno
+then
+	save_LIBS=$LIBS
+	LIBS="$LIBS -lcrypto"
+	have_ssl=yes
+	AC_CHECK_LIB(ssl, SSL_library_init, , [have_ssl=no])
+	if test "x$have_ssl" = xyes
+	then
+		AC_DEFINE(HAVE_OPENSSL, 1, [true if you want to use SSL.])
+		SSL_OBJS=ssl.o
+		AC_SUBST(SSL_OBJS)
+	else
+		LIBS=$save_LIBS
+	fi
+fi
+
 AC_MSG_CHECKING([whether to call shutdown on all sockets])
 case $host_os in
 	*cygwin* ) AC_MSG_RESULT(yes)
diff --git a/main.c b/main.c
--- a/main.c
+++ b/main.c
@@ -79,6 +79,9 @@ extern char *password_file;
 extern char curr_dir[MAXPATHLEN];
 extern struct file_list *first_flist;
 extern struct filter_list_struct daemon_filter_list;
+#ifdef HAVE_OPENSSL
+extern int use_ssl;
+#endif
 
 uid_t our_uid;
 int am_receiver = 0;  /* Only set to 1 after the receiver/generator fork. */
@@ -137,6 +140,52 @@ pid_t wait_process(pid_t pid, int *status_ptr, int flags)
 	return waited_pid;
 }
 
+/* Sends signal "signo", waits for the process to die, and if it doesn't, sends
+ * a SIGKILL.  If "graceful" is set, the initial "signo" signal is delayed by a
+ * second to try to let the process exit on its own first. */
+pid_t terminate_process(pid_t pid, int *status_ptr, int signo, int graceful)
+{
+	pid_t waited_pid;
+	int timeout = graceful ? 1000 : 3000;
+	if (!graceful)
+		kill(pid, signo);
+	while (1) {
+		waited_pid = wait_process(pid, status_ptr, timeout >= 0 ? WNOHANG : 0);
+		if (waited_pid)
+			break;
+		if (timeout == 0) {
+			if (graceful) {
+				graceful = 0;
+				timeout = 3000;
+			} else {
+				signo = SIGKILL;
+				timeout = -1;
+			}
+			rprintf(FINFO, "%s:%s shutdown didn't work - sending signal %d\n",
+				__FUNCTION__, graceful ? " graceful" : "", signo);
+			kill(pid, signo);
+		}
+
+		if (timeout > 0) {
+			/* interruptible wait and calculate the time left for waiting */
+			struct timeval tval, t1, t2;
+
+			gettimeofday(&t1, NULL);
+
+			tval.tv_sec = timeout/1000;
+			tval.tv_usec = (timeout%1000)*1000;
+			select(0, NULL, NULL, NULL, &tval);
+			gettimeofday(&t2, NULL);
+
+			timeout -= (t2.tv_sec-t1.tv_sec)*1000 + (t2.tv_usec-t1.tv_usec)/1000;
+			if (timeout < 0)
+				timeout = 0;
+		}
+	}
+
+	return waited_pid;
+}
+
 /* Wait for a process to exit, calling io_flush while waiting. */
 static void wait_process_with_flush(pid_t pid, int *exit_code_ptr)
 {
@@ -727,6 +776,11 @@ static void do_server_sender(int f_in, int f_out, int argc, char *argv[])
 		argv[0] = ".";
 	}
 
+#ifdef HAVE_OPENSSL
+	if (use_ssl)
+		start_tls_buffering();
+#endif
+
 	flist = send_file_list(f_out,argc,argv);
 	if (!flist || flist->used == 0)
 		exit_cleanup(0);
@@ -828,6 +882,10 @@ static int do_recv(int f_in, int f_out, char *local_name)
 		close(f_in);
 
 	io_start_buffering_out(f_out);
+#ifdef HAVE_OPENSSL
+	if (use_ssl)
+		start_tls_buffering();
+#endif
 
 	set_msg_fd_in(error_pipe[0]);
 	io_start_buffering_in(error_pipe[0]);
@@ -1022,6 +1080,10 @@ int client_run(int f_in, int f_out, pid_t pid, int argc, char *argv[])
 			io_start_buffering_out(f_out);
 		if (!filesfrom_host)
 			set_msg_fd_in(f_in);
+#ifdef HAVE_OPENSSL
+		if (use_ssl)
+			start_tls_buffering();
+#endif
 		send_filter_list(f_out);
 		if (filesfrom_host)
 			filesfrom_fd = f_in;
diff --git a/options.c b/options.c
--- a/options.c
+++ b/options.c
@@ -183,6 +183,14 @@ int logfile_format_has_o_or_i = 0;
 int always_checksum = 0;
 int list_only = 0;
 
+#ifdef HAVE_OPENSSL
+int use_ssl = 0;
+char *ssl_cert_path = NULL;
+char *ssl_key_path = NULL;
+char *ssl_key_passwd = NULL;
+char *ssl_ca_path = NULL;
+#endif
+
 #define MAX_BATCH_NAME_LEN 256	/* Must be less than MAXPATHLEN-13 */
 char *batch_name = NULL;
 
@@ -223,6 +231,7 @@ static void print_rsync_version(enum logcode f)
 	char const *links = "no ";
 	char const *iconv = "no ";
 	char const *ipv6 = "no ";
+	char const *ssl = "no ";
 	STRUCT_STAT *dumstat;
 
 #if SUBPROTOCOL_VERSION != 0
@@ -256,6 +265,9 @@ static void print_rsync_version(enum logcode f)
 #ifdef CAN_SET_SYMLINK_TIMES
 	symtimes = "";
 #endif
+#ifdef HAVE_OPENSSL
+	ssl = "";
+#endif
 
 	rprintf(f, "%s  version %s  protocol version %d%s\n",
 		RSYNC_NAME, RSYNC_VERSION, PROTOCOL_VERSION, subprotocol);
@@ -269,8 +281,8 @@ static void print_rsync_version(enum logcode f)
 		(int)(sizeof (int64) * 8));
 	rprintf(f, "    %ssocketpairs, %shardlinks, %ssymlinks, %sIPv6, batchfiles, %sinplace,\n",
 		got_socketpair, hardlinks, links, ipv6, have_inplace);
-	rprintf(f, "    %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes\n",
-		have_inplace, acls, xattrs, iconv, symtimes);
+	rprintf(f, "    %sappend, %sACLs, %sxattrs, %siconv, %ssymtimes, %sSSL\n",
+		have_inplace, acls, xattrs, iconv, symtimes, ssl);
 
 #ifdef MAINTAINER_MODE
 	rprintf(f, "Panic Action: \"%s\"\n", get_panic_action());
@@ -432,6 +444,13 @@ void usage(enum logcode F)
 #endif
   rprintf(F," -4, --ipv4                  prefer IPv4\n");
   rprintf(F," -6, --ipv6                  prefer IPv6\n");
+#ifdef HAVE_OPENSSL
+  rprintf(F,"     --ssl                   allow socket connections to use SSL\n");
+  rprintf(F,"     --ssl-cert=FILE         path to daemon's SSL certificate\n");
+  rprintf(F,"     --ssl-key=FILE          path to daemon's SSL private key\n");
+  rprintf(F,"     --ssl-key-passwd=PASS   password for PEM-encoded private key\n");
+  rprintf(F,"     --ssl-ca-certs=FILE     path to trusted CA certificates\n");
+#endif
   rprintf(F,"     --version               print version number\n");
   rprintf(F,"(-h) --help                  show this help (-h works with no other options)\n");
 
@@ -445,7 +464,7 @@ enum {OPT_VERSION = 1000, OPT_DAEMON, OPT_SENDER, OPT_EXCLUDE, OPT_EXCLUDE_FROM,
       OPT_FILTER, OPT_COMPARE_DEST, OPT_COPY_DEST, OPT_LINK_DEST, OPT_HELP,
       OPT_INCLUDE, OPT_INCLUDE_FROM, OPT_MODIFY_WINDOW, OPT_MIN_SIZE, OPT_CHMOD,
       OPT_READ_BATCH, OPT_WRITE_BATCH, OPT_ONLY_WRITE_BATCH, OPT_MAX_SIZE,
-      OPT_NO_D, OPT_APPEND, OPT_NO_ICONV,
+      OPT_NO_D, OPT_APPEND, OPT_NO_ICONV, OPT_USE_SSL,
       OPT_SERVER, OPT_REFUSED_BASE = 9000};
 
 static struct poptOption long_options[] = {
@@ -648,6 +667,13 @@ static struct poptOption long_options[] = {
   {"checksum-seed",    0,  POPT_ARG_INT,    &checksum_seed, 0, 0, 0 },
   {"server",           0,  POPT_ARG_NONE,   0, OPT_SERVER, 0, 0 },
   {"sender",           0,  POPT_ARG_NONE,   0, OPT_SENDER, 0, 0 },
+#ifdef HAVE_OPENSSL
+  {"ssl",              0,  POPT_ARG_NONE,   0, OPT_USE_SSL, 0, 0},
+  {"ssl-cert",         0,  POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key",          0,  POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key-passwd",   0,  POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
+  {"ssl-ca-certs",     0,  POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
+#endif
   /* All the following options switch us into daemon-mode option-parsing. */
   {"config",           0,  POPT_ARG_STRING, 0, OPT_DAEMON, 0, 0 },
   {"daemon",           0,  POPT_ARG_NONE,   0, OPT_DAEMON, 0, 0 },
@@ -673,6 +699,13 @@ static void daemon_usage(enum logcode F)
   rprintf(F," -v, --verbose               increase verbosity\n");
   rprintf(F," -4, --ipv4                  prefer IPv4\n");
   rprintf(F," -6, --ipv6                  prefer IPv6\n");
+#ifdef HAVE_OPENSSL
+  rprintf(F,"     --ssl                   allow socket connections to use SSL\n");
+  rprintf(F,"     --ssl-cert=FILE         path to daemon's SSL certificate\n");
+  rprintf(F,"     --ssl-key=FILE          path to daemon's SSL private key\n");
+  rprintf(F,"     --ssl-key-passwd=PASS   password for PEM-encoded private key\n");
+  rprintf(F,"     --ssl-ca-certs=FILE     path to trusted CA certificates\n");
+#endif
   rprintf(F,"     --help                  show this help screen\n");
 
   rprintf(F,"\n");
@@ -697,6 +730,13 @@ static struct poptOption long_daemon_options[] = {
   {"protocol",         0,  POPT_ARG_INT,    &protocol_version, 0, 0, 0 },
   {"server",           0,  POPT_ARG_NONE,   &am_server, 0, 0, 0 },
   {"temp-dir",        'T', POPT_ARG_STRING, &tmpdir, 0, 0, 0 },
+#ifdef HAVE_OPENSSL
+  {"ssl",              0,  POPT_ARG_NONE,   0, OPT_USE_SSL, 0, 0},
+  {"ssl-cert",         0,  POPT_ARG_STRING, &ssl_cert_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key",          0,  POPT_ARG_STRING, &ssl_key_path, OPT_USE_SSL, 0, 0},
+  {"ssl-key-passwd",   0,  POPT_ARG_STRING, &ssl_key_passwd, OPT_USE_SSL, 0, 0},
+  {"ssl-ca-certs",     0,  POPT_ARG_STRING, &ssl_ca_path, OPT_USE_SSL, 0, 0},
+#endif
   {"verbose",         'v', POPT_ARG_NONE,   0, 'v', 0, 0 },
   {"no-verbose",       0,  POPT_ARG_VAL,    &verbose, 0, 0, 0 },
   {"no-v",             0,  POPT_ARG_VAL,    &verbose, 0, 0, 0 },
@@ -978,6 +1018,12 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 					verbose++;
 					break;
 
+#ifdef HAVE_OPENSSL
+				case OPT_USE_SSL:
+					use_ssl = 1;
+					break;
+#endif
+
 				default:
 					rprintf(FERROR,
 					    "rsync: %s: %s (in daemon mode)\n",
@@ -1001,6 +1047,17 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 				exit_cleanup(RERR_SYNTAX);
 			}
 
+#ifdef HAVE_OPENSSL
+			if (use_ssl) {
+				if (init_tls()) {
+					snprintf(err_buf, sizeof(err_buf),
+						 "Openssl error: %s\n",
+						 get_ssl_error());
+					return 0;
+				}
+			}
+#endif
+
 			*argv_p = argv = poptGetArgs(pc);
 			*argc_p = argc = count_args(argv);
 			am_starting_up = 0;
@@ -1259,6 +1316,12 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 			return 0;
 #endif
 
+#ifdef HAVE_OPENSSL
+		case OPT_USE_SSL:
+			use_ssl = 1;
+			break;
+#endif
+
 		default:
 			/* A large opt value means that set_refuse_options()
 			 * turned this option off. */
@@ -1604,6 +1667,17 @@ int parse_arguments(int *argc_p, const char ***argv_p)
 	if (delay_updates && !partial_dir)
 		partial_dir = tmp_partialdir;
 
+#ifdef HAVE_OPENSSL
+	if (use_ssl) {
+		if (init_tls()) {
+			snprintf(err_buf, sizeof(err_buf),
+				 "Openssl error: %s\n",
+				 get_ssl_error());
+			return 0;
+		}
+	}
+#endif
+
 	if (inplace) {
 #ifdef HAVE_FTRUNCATE
 		if (partial_dir) {
@@ -2152,9 +2226,26 @@ static char *parse_hostspec(char *str, char **path_start_ptr, int *port_ptr)
 char *check_for_hostspec(char *s, char **host_ptr, int *port_ptr)
 {
 	char *path;
-
-	if (port_ptr && strncasecmp(URL_PREFIX, s, strlen(URL_PREFIX)) == 0) {
-		*host_ptr = parse_hostspec(s + strlen(URL_PREFIX), &path, port_ptr);
+	int url_prefix_len = sizeof URL_PREFIX - 1;
+
+	if (!port_ptr)
+		url_prefix_len = 0;
+	else if (strncasecmp(URL_PREFIX, s, url_prefix_len) != 0) {
+#ifdef HAVE_OPENSSL
+		url_prefix_len = sizeof SSL_URL_PREFIX - 1;
+		if (strncasecmp(SSL_URL_PREFIX, s, url_prefix_len) != 0)
+			url_prefix_len = 0;
+		else {
+			if (!use_ssl)
+				init_tls();
+			use_ssl = 1;
+		}
+#else
+		url_prefix_len = 0;
+#endif
+	}
+	if (url_prefix_len) {
+		*host_ptr = parse_hostspec(s + url_prefix_len, &path, port_ptr);
 		if (*host_ptr) {
 			if (!*port_ptr)
 				*port_ptr = RSYNC_PORT;
diff --git a/rsync.h b/rsync.h
--- a/rsync.h
+++ b/rsync.h
@@ -31,6 +31,7 @@
 
 #define DEFAULT_LOCK_FILE "/var/run/rsyncd.lock"
 #define URL_PREFIX "rsync://"
+#define SSL_URL_PREFIX "rsyncs://"
 
 #define SYMLINK_PREFIX "/rsyncd-munged/"  /* This MUST have a trailing slash! */
 #define SYMLINK_PREFIX_LEN ((int)sizeof SYMLINK_PREFIX - 1)
@@ -569,6 +570,11 @@ typedef unsigned int size_t;
 # define SIZEOF_INT64 SIZEOF_OFF_T
 #endif
 
+#ifdef HAVE_OPENSSL
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+#endif
+
 struct hashtable {
 	void *nodes;
 	int32 size, entries;
diff --git a/ssl.c b/ssl.c
new file mode 100644
--- /dev/null
+++ b/ssl.c
@@ -0,0 +1,604 @@
+/* -*- c-file-style: "linux" -*-
+ * ssl.c: operations for negotiating SSL rsync connections.
+ *
+ * Copyright (C) 2003  Casey Marshall <rsdio@metastatic.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "rsync.h"
+
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#else
+#include <sys/time.h>
+#include <sys/types.h>
+#include <unistd.h>
+#endif
+#include <string.h>
+
+#define SSL_MAX_RECORD_SIZE (1024*16) /* TLS record size */
+#define MAX_BUFFERING_TIME_MS	100
+
+extern int verbose;
+extern int am_daemon;
+extern int am_server;
+
+extern char *ssl_cert_path;
+extern char *ssl_key_path;
+extern char *ssl_key_passwd;
+extern char *ssl_ca_path;
+
+static SSL_CTX *ssl_ctx;
+static SSL *ssl;
+static int tls_read[2] = { -1, -1 };
+static int tls_write[2] = { -1, -1 };
+static int ssl_running;
+static int ssl_min_send_size;
+static int ssl_pid = -1;
+
+#ifdef HAVE_SIGACTION
+static struct sigaction sigact;
+#endif
+
+/* copied from progress.c */
+static unsigned long msdiff(struct timeval *t1, struct timeval *t2)
+{
+	return (t2->tv_sec - t1->tv_sec) * 1000L
+		+ (t2->tv_usec - t1->tv_usec) / 1000;
+}
+
+/**
+ * A non-interactive callback to be passed to SSL_CTX_set_default_password_cb,
+ * which merely copies the value of ssl_key_passwd into buf. This is
+ * used for when the private key password is supplied via an option.
+ */
+static int default_password_cb(char *buf, int n, UNUSED(int f), UNUSED(void *u))
+{
+	if (ssl_key_passwd == NULL || n < (int)strlen(ssl_key_passwd))
+		return 0;
+	strncpy(buf, ssl_key_passwd, n-1);
+	return strlen(ssl_key_passwd);
+}
+
+/**
+ * If verbose, this method traces the status of the SSL handshake.
+ */
+static void info_callback(const SSL *ssl, int cb, int val)
+{
+	char buf[128];
+	char *cbs;
+
+	switch (cb) {
+	case SSL_CB_LOOP:
+		cbs = "SSL_CB_LOOP";
+		break;
+	case SSL_CB_EXIT:
+		cbs = "SSL_CB_EXIT";
+		break;
+	case SSL_CB_READ:
+		cbs = "SSL_CB_READ";
+		break;
+	case SSL_CB_WRITE:
+		cbs = "SSL_CB_WRITE";
+		break;
+	case SSL_CB_ALERT:
+		cbs = "SSL_CB_ALERT";
+		break;
+	case SSL_CB_READ_ALERT:
+		cbs = "SSL_CB_READ_ALERT";
+		break;
+	case SSL_CB_WRITE_ALERT:
+		cbs = "SSL_CB_WRITE_ALERT";
+		break;
+	case SSL_CB_ACCEPT_LOOP:
+		cbs = "SSL_CB_ACCEPT_LOOP";
+		break;
+	case SSL_CB_ACCEPT_EXIT:
+		cbs = "SSL_CB_ACCEPT_EXIT";
+		break;
+	case SSL_CB_CONNECT_LOOP:
+		cbs = "SSL_CB_CONNECT_LOOP";
+		break;
+	case SSL_CB_CONNECT_EXIT:
+		cbs = "SSL_CB_CONNECT_EXIT";
+		break;
+	case SSL_CB_HANDSHAKE_START:
+		cbs = "SSL_CB_HANDSHAKE_START";
+		break;
+	case SSL_CB_HANDSHAKE_DONE:
+		cbs = "SSL_CB_HANDSHAKE_DONE";
+		break;
+	default:
+		snprintf(buf, sizeof buf, "??? (%d)", cb);
+		cbs = buf;
+		break;
+	}
+	if (verbose > 2) {
+		rprintf(FLOG, "SSL: info_callback(%p,%s,%d)\n", ssl, cbs, val);
+		if (cb == SSL_CB_HANDSHAKE_DONE) {
+			SSL_CIPHER_description(SSL_get_current_cipher((SSL*)ssl),
+					       buf, sizeof buf);
+			rprintf(FLOG, "SSL: cipher: %s", buf);
+		}
+	}
+}
+
+/**
+ * Initializes the SSL context for TLSv1 connections; returns zero on
+ * success.
+ */
+int init_tls(void)
+{
+	if (ssl_ctx)
+		return 0;
+	SSL_library_init();
+	SSL_load_error_strings();
+	ssl_ctx = SSL_CTX_new(TLSv1_method());
+	if (!ssl_ctx)
+		return 1;
+	SSL_CTX_set_info_callback(ssl_ctx, info_callback);
+
+	SSL_CTX_set_options(ssl_ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
+
+	/* Sets the certificate sent to the other party. */
+	if (ssl_cert_path != NULL
+	    && SSL_CTX_use_certificate_file(ssl_ctx, ssl_cert_path,
+					    SSL_FILETYPE_PEM) != 1)
+		return 1;
+	/* Set up the simple non-interactive callback if the password
+	 * was supplied on the command line. */
+	if (ssl_key_passwd != NULL)
+		SSL_CTX_set_default_passwd_cb(ssl_ctx, default_password_cb);
+	/* Sets the private key that matches the public certificate. */
+	if (ssl_key_path != NULL) {
+		if (SSL_CTX_use_PrivateKey_file(ssl_ctx, ssl_key_path,
+						SSL_FILETYPE_PEM) != 1)
+			return 1;
+		if (SSL_CTX_check_private_key(ssl_ctx) != 1)
+			return 1;
+	}
+	if (ssl_ca_path != NULL
+	    && !SSL_CTX_load_verify_locations(ssl_ctx, ssl_ca_path, NULL))
+		return 1;
+
+	return 0;
+}
+
+/**
+ * Returns the error string for the current SSL error, if any.
+ */
+char *get_ssl_error(void)
+{
+	return ERR_error_string(ERR_get_error(), NULL);
+}
+
+/**
+ * Returns the input file descriptor for the SSL connection.
+ */
+int get_tls_rfd(void)
+{
+	return tls_read[0];
+}
+
+/**
+ * Returns the output file descriptor for the SSL connection.
+ */
+int get_tls_wfd(void)
+{
+	return tls_write[1];
+}
+
+/**
+ * Signal handler that ends the SSL connection.
+ */
+static RETSIGTYPE tls_sigusr1(int UNUSED(val))
+{
+	ssl_running = 0;
+}
+
+/* Signal handler that starts record-size buffering. */
+static RETSIGTYPE tls_sigusr2(int UNUSED(val))
+{
+	ssl_min_send_size = SSL_MAX_RECORD_SIZE;
+}
+
+/**
+ * Negotiates the TLS connection, creates a socket pair for communicating
+ * with the rsync process, then forks into a new process that will handle
+ * the communication.
+ *
+ * 0 is returned on success.
+ * rsync to network algorithm:
+ * A buffer ring of two buffers is maintained. Data is read from the local
+ * socket into the current buffer. The buffer is eligible for sending if
+ * enough data has been buffered, or enough time has passed. Once the buffer
+ * becomes eligible for sending it is marked "ready" and buffering continues
+ * on the other buffer (assuming it's "unready"). This algorithm tries to
+ * maximize SSL record size.
+ *
+ * network to rsync algorithm:
+ * One receive buffer twice the size of the SSL max record size. Reading
+ * from the network is attempted only if there's enough space for a whole
+ * record (this is done to optimize OpenSSL per-call overhead).
+ * As bytes enter the buffer sending to rsync begins, when the buffer becomes
+ * full we wait for sending to rsync to finish.
+ *
+ * A graceful stop is attempted on both directions. So if the pipe from rsync
+ * is gracefully shut down, we try to send all data to the network before closing
+ * the connection and if the SSL connection is gracefully shut down we try to
+ * send everything to rsync before closing the rsync pipe.
+ */
+int start_tls(int f_in, int f_out)
+{
+	int n = 0, r;
+	unsigned char buf_tonetwork[2][SSL_MAX_RECORD_SIZE], buf_fromnetwork[2*SSL_MAX_RECORD_SIZE];
+	int tonet_ready[2] = {0}, tonet_size[2] = {0}, write_tonet = 0, tonet_fill_idx = 0, tonet_send_idx = 0;
+	struct timeval buffering_start, now, timeout, *tp;
+	int avail_fromnet = 0, write_fromnet = 0;
+	int want_read_fromnet = 1, want_write_tonet = 0;
+	int want_read_fromrsync = 1, want_write_torsync = 0;
+	int write_tonet_blocks = 0, read_fromnet_blocks = 0;
+	int write_torsync_blocks = 0, read_fromrsync_blocks = 0;
+	int ssl_readfd_blocks = 0, ssl_writefd_blocks = 0;
+	int ssl_write_count = 0;
+	int want_more_io;
+	int net_closed = 0, rsync_closed = 0;
+	int loopcount;
+	fd_set rd, wd;
+	const char *ssl_ciphers;
+
+	if (fd_pair(tls_read))
+		return 1;
+	if (fd_pair(tls_write))
+		return 1;
+
+	set_blocking(tls_read[0]);
+	set_nonblocking(tls_read[1]);
+	set_nonblocking(tls_write[0]);
+	set_blocking(tls_write[1]);
+	set_nonblocking(f_in);
+	set_nonblocking(f_out);
+
+	ssl_pid = do_fork();
+	if (ssl_pid < 0)
+		return -1;
+	if (ssl_pid != 0) {
+		close(tls_write[0]);
+		close(tls_read[1]);
+		close(f_in);
+		close(f_out);
+		return 0;
+	}
+
+	close(tls_write[1]);
+	close(tls_read[0]);
+
+	SIGACTION(SIGUSR1, tls_sigusr1);
+	SIGACTION(SIGUSR2, tls_sigusr2);
+	ssl = SSL_new(ssl_ctx);
+	if (!ssl)
+		goto out;
+	if (am_daemon || am_server)
+		SSL_set_accept_state(ssl);
+	else {
+		SSL_set_connect_state(ssl);
+		ssl_ciphers = getenv("RSYNC_SSL_CIPHERS");
+		if (ssl_ciphers)
+			SSL_set_cipher_list(ssl, ssl_ciphers);
+	}
+
+	SSL_set_rfd(ssl, f_in);
+	SSL_set_wfd(ssl, f_out);
+
+	n = tls_write[0];
+	n = MAX(tls_read[1], n);
+	n = MAX(f_in, n);
+	n = MAX(f_out, n) + 1;
+
+	ssl_running = 1;
+	loopcount = 0;
+	while (ssl_running) {
+		++loopcount; /* the loopcount prevents starvation of one transfer direction by the other */
+		want_more_io = 0;
+
+		if (want_read_fromrsync && !read_fromrsync_blocks) {
+			int cur_buf_size = tonet_size[tonet_fill_idx];
+			r = read(tls_write[0], buf_tonetwork[tonet_fill_idx]+cur_buf_size, sizeof(buf_tonetwork[0])-cur_buf_size);
+			if (r > 0) {
+				want_more_io = 1;
+				if (!net_closed) {
+					if (cur_buf_size == 0)
+						gettimeofday(&buffering_start, NULL);
+					cur_buf_size += r;
+					tonet_size[tonet_fill_idx] = cur_buf_size;
+					if (cur_buf_size >= ssl_min_send_size) {
+						want_write_tonet = 1;
+						tonet_ready[tonet_fill_idx] = 1;
+						tonet_fill_idx = !tonet_fill_idx;
+						if (tonet_ready[tonet_fill_idx])
+							want_read_fromrsync = 0;
+					}
+				}
+			} else if (r < 0 && errno == EWOULDBLOCK)
+				read_fromrsync_blocks = 1;
+			else if (r < 0) {
+				rprintf(FERROR, "pipe read error: %s\n",
+					strerror(errno));
+				break;
+			} else {
+				rsync_closed = 1;
+				if (cur_buf_size) {
+					want_write_tonet = 1;
+					tonet_ready[tonet_fill_idx] = 1; /* close current buffer */
+				}
+				want_read_fromrsync = 0; /* don't read */
+				want_write_torsync = 0; /* don't write */
+				read_fromrsync_blocks = 0; /* don't select */
+				write_torsync_blocks = 0;
+				want_read_fromnet = 1; /* purge incoming data from network */
+				avail_fromnet = 0;
+				if (net_closed || !want_write_tonet)
+					break;
+			}
+		}
+
+		if (want_read_fromnet && !read_fromnet_blocks) {
+			r = SSL_read(ssl, buf_fromnetwork+avail_fromnet, SSL_MAX_RECORD_SIZE);
+			if (r > 0) {
+				want_more_io = 1;
+				if (!rsync_closed) {
+					avail_fromnet += r;
+					want_write_torsync = 1;
+					if (avail_fromnet >= (int)(sizeof(buf_fromnetwork)-SSL_MAX_RECORD_SIZE))
+						want_read_fromnet = 0;
+				}
+			} else {
+				switch (SSL_get_error(ssl, r)) {
+				case SSL_ERROR_ZERO_RETURN:
+					net_closed = 1;
+					want_read_fromnet = 0; /* don't read */
+					want_write_tonet = 0; /* don't write */
+					ssl_readfd_blocks = 0; /* and for heaven's sake - don't select() */
+					ssl_writefd_blocks = 0;
+					want_read_fromrsync = 1; /* and purge stuff from rsync side */
+					tonet_size[tonet_fill_idx] = 0;
+					tonet_ready[tonet_fill_idx] = 0;
+					if (rsync_closed || !want_write_torsync)
+						goto graceful_stop;
+					break;
+				case SSL_ERROR_WANT_READ:
+					ssl_readfd_blocks = 1;
+					read_fromnet_blocks = 1;
+					break;
+				case SSL_ERROR_WANT_WRITE:
+					ssl_writefd_blocks = 1;
+					read_fromnet_blocks = 1;
+					break;
+				case SSL_ERROR_SYSCALL:
+					if (r == 0)
+						rprintf(FERROR, "SSL spurious EOF\n");
+					else
+						rprintf(FERROR, "SSL I/O error: %s\n",
+							strerror(errno));
+					goto closed;
+				case SSL_ERROR_SSL:
+					rprintf(FERROR, "SSL %s\n",
+						ERR_error_string(ERR_get_error(), NULL));
+					goto closed;
+				default:
+					rprintf(FERROR, "unexpected ssl error %d\n", r);
+					goto closed;
+				}
+			}
+		}
+
+		if (want_write_torsync && !write_torsync_blocks) {
+			r = write(tls_read[1], buf_fromnetwork+write_fromnet, avail_fromnet-write_fromnet);
+			if (r > 0) {
+				want_more_io = 1;
+				write_fromnet += r;
+				if (write_fromnet >= avail_fromnet) {
+					write_fromnet = 0;
+					avail_fromnet = 0;
+					if (net_closed)
+						break;
+					want_read_fromnet = 1;
+					want_write_torsync = 0;
+				}
+			}
+			else if (errno == EWOULDBLOCK)
+				write_torsync_blocks = 1;
+			else {
+				if (errno != EPIPE)
+					rprintf(FERROR, "pipe write error: %s\n", strerror(errno));
+				break;
+			}
+		}
+
+		if (want_write_tonet && !write_tonet_blocks) {
+			/* lock the write count, 'cause if SSL_write fails on non-blocking IO, it
+			 * must be repeated with same parameters. */
+			if (ssl_write_count == 0)
+				ssl_write_count = tonet_size[tonet_send_idx] - write_tonet;
+			r = SSL_write(ssl, buf_tonetwork[tonet_send_idx]+write_tonet, ssl_write_count);
+			if (r > 0) {
+				want_more_io = 1;
+				write_tonet += r;
+				ssl_write_count = 0;
+				if (write_tonet >= tonet_size[tonet_send_idx]) {
+					write_tonet = 0;
+					tonet_size[tonet_send_idx] = 0;
+					tonet_ready[tonet_send_idx] = 0;
+					if (!rsync_closed)
+						want_read_fromrsync = 1;
+					tonet_send_idx = !tonet_send_idx;
+					if (!tonet_ready[tonet_send_idx]) {
+						want_write_tonet = 0;
+						if (rsync_closed)
+							break;
+					}
+				}
+			} else {
+				switch (SSL_get_error(ssl, r)) {
+				case SSL_ERROR_ZERO_RETURN:
+					goto graceful_stop;
+				case SSL_ERROR_WANT_READ:
+					ssl_readfd_blocks = 1;
+					write_tonet_blocks = 1;
+					break;
+				case SSL_ERROR_WANT_WRITE:
+					ssl_writefd_blocks = 1;
+					write_tonet_blocks = 1;
+					break;
+				case SSL_ERROR_SYSCALL:
+					if (r == 0)
+						rprintf(FERROR, "SSL: spurious EOF\n");
+					else
+						rprintf(FERROR, "SSL: I/O error: %s\n", strerror(errno));
+					goto closed;
+				case SSL_ERROR_SSL:
+					rprintf(FERROR, "SSL: %s\n",
+						ERR_error_string(ERR_get_error(), NULL));
+					goto closed;
+				default:
+					rprintf(FERROR, "unexpected ssl error %d\n", r);
+					goto closed;
+				}
+			}
+		}
+
+		if (!want_more_io || (loopcount&31) == 0) {
+			int has_buffered = 0;
+			if (!net_closed && !tonet_ready[tonet_fill_idx] && tonet_size[tonet_fill_idx]) {
+				has_buffered = 1;
+				unsigned long buffering_time;
+				gettimeofday(&now,NULL);
+				buffering_time = msdiff(&buffering_start,&now);
+				if (buffering_time >= MAX_BUFFERING_TIME_MS) {
+					want_write_tonet = 1;
+					want_more_io = 1;
+					tonet_ready[tonet_fill_idx] = 1;
+					tonet_fill_idx = !tonet_fill_idx;
+					if (tonet_ready[tonet_fill_idx])
+						want_read_fromrsync = 0;
+				}
+			}
+
+			int waiting_on_something = 0;
+			FD_ZERO(&rd);
+			FD_ZERO(&wd);
+			if (read_fromrsync_blocks) {
+				waiting_on_something = 1;
+				FD_SET(tls_write[0], &rd);
+			}
+			if (write_torsync_blocks) {
+				waiting_on_something = 1;
+				FD_SET(tls_read[1], &wd);
+			}
+			if (ssl_readfd_blocks) {
+				waiting_on_something = 1;
+				FD_SET(f_in, &rd);
+			}
+			if (ssl_writefd_blocks) {
+				waiting_on_something = 1;
+				FD_SET(f_out, &wd);
+			}
+
+			if (want_more_io) {
+				/* just poll to see if some sockets became non-blocking*/
+				timeout.tv_sec = 0;
+				timeout.tv_usec = 0;
+				tp = &timeout;
+			} else if (waiting_on_something && !has_buffered)
+				tp = NULL; /*infinite wait until a socket becomes available*/
+			else {
+				timeout.tv_sec = MAX_BUFFERING_TIME_MS/1000;
+				timeout.tv_usec = (MAX_BUFFERING_TIME_MS%1000)*1000;
+				tp = &timeout;
+			}
+
+			if (waiting_on_something || !want_more_io) {
+				r = select(n, &rd, &wd, NULL, tp);
+
+				if (r == -1) {
+					if (errno != EINTR) {
+						rprintf(FERROR, "select error: %s\n",
+							strerror(errno));
+						break;
+					}
+				}
+
+				if (r > 0) {
+					if (FD_ISSET(tls_write[0], &rd))
+						read_fromrsync_blocks = 0;
+					if (FD_ISSET(f_in,&rd)) {
+						read_fromnet_blocks = 0;
+						write_tonet_blocks = 0;
+						ssl_readfd_blocks = 0;
+					}
+					if (FD_ISSET(tls_read[1],&wd))
+						write_torsync_blocks = 0;
+					if (FD_ISSET(f_out,&wd)) {
+						read_fromnet_blocks = 0;
+						write_tonet_blocks = 0;
+						ssl_writefd_blocks = 0;
+					}
+				}
+			}
+		}
+	}
+
+  graceful_stop:
+	/* The SSL shutdown API looks pretty broken with respect to corner cases
+	 * where the underlying socket is blocking. This is a "best effort". */
+	if (SSL_shutdown(ssl) != 1)
+		SSL_shutdown(ssl);
+  closed:
+	SSL_free(ssl);
+
+	/* We're finished. */
+  out:
+	close(tls_read[1]);
+	close(tls_write[0]);
+	close(f_in);
+	if (f_out != f_in)
+		close(f_out);
+	_exit(0);
+}
+
+void start_tls_buffering(void)
+{
+	if (ssl_pid > 0)
+		kill(ssl_pid, SIGUSR2);
+}
+
+/**
+ * Ends the TLS connection.
+ */
+void end_tls(void)
+{
+	if (ssl_pid > 0) {
+		int status;
+		/* try a graceful stop - this makes sure all data is sent, and
+		 * also causes our side to send a close_notify alert, as required
+		 * by TLS specs. */
+		close(get_tls_rfd());
+		if (get_tls_wfd() != get_tls_rfd())
+			close(get_tls_wfd());
+		terminate_process(ssl_pid, &status, SIGUSR1, 1);
+		ssl_pid = -1;
+	}
+}
diff -up a/config.h.in b/config.h.in
--- a/config.h.in
+++ b/config.h.in
@@ -200,6 +200,9 @@
 /* Define to 1 if you have the `socket' library (-lsocket). */
 #undef HAVE_LIBSOCKET
 
+/* Define to 1 if you have the `ssl' library (-lssl). */
+#undef HAVE_LIBSSL
+
 /* Define to 1 if you have the <limits.h> header file. */
 #undef HAVE_LIMITS_H
 
@@ -274,6 +277,9 @@
 /* Define to 1 if you have the `open64' function. */
 #undef HAVE_OPEN64
 
+/* true if you want to use SSL. */
+#undef HAVE_OPENSSL
+
 /* true if you have Mac OS X ACLs */
 #undef HAVE_OSX_ACLS
 
diff -up a/configure.sh b/configure.sh
--- a/configure.sh
+++ b/configure.sh
@@ -600,6 +600,7 @@ OBJ_RESTORE
 OBJ_SAVE
 ALLOCA
 LIBOBJS
+SSL_OBJS
 HAVE_YODL2MAN
 HAVE_REMSH
 INSTALL_DATA
@@ -676,6 +677,7 @@ with_nobody_group
 enable_largefile
 enable_ipv6
 enable_locale
+enable_openssl
 enable_iconv_open
 enable_iconv
 enable_acl_support
@@ -1310,6 +1312,7 @@ Optional Features:
   --disable-largefile     omit support for large files
   --disable-ipv6          do not even try to use IPv6
   --disable-locale        disable locale features
+  --enable-openssl        compile SSL support with OpenSSL.
   --disable-iconv-open    disable all use of iconv_open() function
   --disable-iconv         disable rsync's --iconv option
   --disable-acl-support   disable ACL support
@@ -4748,6 +4751,76 @@ if test x"$enable_locale" != x"no"; then
 
 fi
 
+# Check whether --enable-openssl was given.
+if test "${enable_openssl+set}" = set; then :
+  enableval=$enable_openssl;
+fi
+
+
+if test "x$enable_openssl" != xno
+then
+	save_LIBS=$LIBS
+	LIBS="$LIBS -lcrypto"
+	have_ssl=yes
+	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_library_init in -lssl" >&5
+$as_echo_n "checking for SSL_library_init in -lssl... " >&6; }
+if test "${ac_cv_lib_ssl_SSL_library_init+set}" = set; then :
+  $as_echo_n "(cached) " >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lssl  $LIBS"
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char SSL_library_init ();
+int
+main ()
+{
+return SSL_library_init ();
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+  ac_cv_lib_ssl_SSL_library_init=yes
+else
+  ac_cv_lib_ssl_SSL_library_init=no
+fi
+rm -f core conftest.err conftest.$ac_objext \
+    conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_library_init" >&5
+$as_echo "$ac_cv_lib_ssl_SSL_library_init" >&6; }
+if test "x$ac_cv_lib_ssl_SSL_library_init" = x""yes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_LIBSSL 1
+_ACEOF
+
+  LIBS="-lssl $LIBS"
+
+else
+  have_ssl=no
+fi
+
+	if test "x$have_ssl" = xyes
+	then
+
+$as_echo "#define HAVE_OPENSSL 1" >>confdefs.h
+
+		SSL_OBJS=ssl.o
+
+	else
+		LIBS=$save_LIBS
+	fi
+fi
+
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to call shutdown on all sockets" >&5
 $as_echo_n "checking whether to call shutdown on all sockets... " >&6; }
 case $host_os in
diff -up a/proto.h b/proto.h
--- a/proto.h
+++ b/proto.h
@@ -241,6 +241,7 @@ void maybe_log_item(struct file_struct *
 void log_delete(const char *fname, int mode);
 void log_exit(int code, const char *file, int line);
 pid_t wait_process(pid_t pid, int *status_ptr, int flags);
+pid_t terminate_process(pid_t pid, int *status_ptr, int signo, int graceful);
 int child_main(int argc, char *argv[]);
 void start_server(int f_in, int f_out, int argc, char *argv[]);
 int client_run(int f_in, int f_out, pid_t pid, int argc, char *argv[]);
@@ -294,6 +295,13 @@ int open_socket_out_wrapped(char *host,
 int is_a_socket(int fd);
 void start_accept_loop(int port, int (*fn)(int, int));
 void set_socket_options(int fd, char *options);
+int init_tls(void);
+char *get_ssl_error(void);
+int get_tls_rfd(void);
+int get_tls_wfd(void);
+int start_tls(int f_in, int f_out);
+void start_tls_buffering(void);
+void end_tls(void);
 int do_unlink(const char *fname);
 int do_symlink(const char *fname1, const char *fname2);
 int do_link(const char *fname1, const char *fname2);
